“Sd@sd!#dfs@wefe%@@##!” is what the dark lord would have said, if he weren’t so civilized. No, instead his first words were “are you kidding me?” The dark lord I refer to in this case is my boss. He can tell you a thing or two about why data encryption is so important. Especially now, since he is a former employee at Netegrity and, possibly, a soon‑to‑be identity theft statistic.
CA, Inc., formerly known as Computer Associates and buyer of Netegrity in 2004, has filed a letter with New Hampshire Attorney General’s office. Netegrity is a recent addition to the group of companies affected by the theft of computers from Colt Express Outsourcing Services. According to the letter, the information on 507 former Netegrity employees and dependents was in one of the lost computers. My boss tells me that the company had about 600 employees at its peak, so he’s pretty certain he’ll get the letter informing him of the loss. (He can get a preview by clicking on the above link.)
Information that could possibly be breached include names, addresses, phone numbers, dates of birth, and Social Security numbers. “Possibly breached,” since, if memory serves, the stolen computers had password‑protection as a “security measure.” (I may be wrong about this. Colt has never, as far as I know, announced that the stolen computer had password‑protection. I probably read it from one of the other company’s letters to the NH AG.)
What’s funny to me (in a clear case of schadenfreude) is that CA is stuck with this situation for absolutely no reason but bad luck. Since former Netegrity employees, not CA employees, are affected, it’s quite obvious that it was Netegrity who had signed up with Colt in the first place. And, I’d imagine that once CA bought out Netegrity, any remaining employees who went into CA’s fold would have had their benefits management transferred over to whoever CA was, or is, using. Furthermore, if my logic is not wrong, at that point Colt should have gotten rid of the Netegrity data or secured it somehow. Probably the latter, since in this lawsuit‑happy country you may need to prove your innocence someday, somehow for some reason or other. However, Colt hadn’t secured the data.
So, again, CA is stuck with the mess, just like Google, bebe, and CNet, among others. A further twist is that CA has “implemented steps to ensure that appropriate security measures are in place to prevent this kind of loss…” Why? I mean, educating employees about data security is a good idea in the digital age. However, the data security breach that CA has experienced was—let’s face it—outside of CA’s control. The company also writes about requiring vendors to sign a “Data Protection Agreement.” Again, a good thing…but how would it have helped in a situation like Colt’s, where any bonds between the companies were severed, and the contract technically did not involve CA? Maybe what they mean is that CA has had data security measures in place for a long time now, so the NH AG need not worry the sorry scenario will be replicated at CA proper.
Unfortunately, breaches can and do take the form of a “black swan” event, borrowing Taleb’s expression. A data breach at any company is a matter of when, be it CA or any other company, no matter how successful they’ve been at information security in the past. The good news is that there are tools like AlertBoot to decrease the potential incident of a data breach. The bad news is there no way to eliminate data breaches. The worst news? You work for a pointy‑haired boss who doesn’t understand this and commissions you to find something that will literally prevent data breaches 100 %. (If you don’t understand why, despite sounding sensible, this doesn’t make sense, there’s a good chance you are the PHB).
The Cleveland Clinic is looking into the disappearance of a laptop computer. The clinic has not confirmed what type of information was stored on the machine; however, all affected patients have been notified and offered resources for identity theft protection. Quite obviously, a laptop encryption solution like AlertBoot was not used to secure the contents of that computer; otherwise, such a move would have been unnecessary.
Is laptop encryption necessary? If so, is it economically viable? After all, most clinics are not known to be profit centers. I would imagine that this is especially so in the case of the Cleveland Clinic—it’s a non‑profit organization, and an academic one at that. (Granted, you can have a non‑profit, academic organization that makes money. Ever take a look at Harvard’s endowment?) I have no idea how non‑profit medical entities work, but I’d imagine that any money spent on things like encryption software would mean there’s less money left for research and patient care.
At the same time, a medical organization tends to concentrate on ensuring a patient’s well‑being. While counseling on financial matters are outside the professional scope of clinics, doctors would be abhorred to know a data breach on their part had an impact on the overall well‑being of a patient, even if it’s financial in nature (I mean, there can’t be too many doctors out there that go around thinking, “yeah, you’re an identity theft victim because of me, but I fixed your pancreas, so, I figure we’re even.”)
Plus, patient confidentiality is held sacrosanct by medical professionals. How is one going to uphold confidentiality without locked doors and locked file cabinets? Granted, patient confidentiality is not meant in the above sense—but locking stuff up is the first step in keeping things confidential. And what a lock is to a door, data encryption is to computers and other digital devices where information is stored. In other words, if you’ve got a laptop computer, laptop encryption is necessary.
But is this financially viable? Without concrete numbers, there is no way to tell (hm…maybe I’ll attempt a calculation in a future post to see how the figures would turn out under certain assumptions). I can tell you this much though. From just a financial standpoint, any organization that holds the records of millions of people will probably find computer encryption to be well worth it. That’s because, at least for AlertBoot, the monthly cost of having one laptop encrypted is similar to the monthly cost of having a person covered with credit monitoring. And if I may point out, most companies have fewer computers than customers.
Burglars broke into a Minneapolis Veterans Home about a week ago, making off with a number of items, including keyboards (think Guns ‘N Roses, not Bill Gates), a tool kit, a guitar, a Nintentdo Wii (the bastards!), and a laptop computer. Luckily, there was no sensitive information on the laptop, so full disk encryption like AlertBoot was not necessary on that particular system. Belatedly, however, a backup server was found missing.
The server contained information on residents of the home and dependents. I take it that by “residents,” anyone who spends considerable time at the home is included, since it’s not only the veterans that are being alerted, but also employees and “others” (who the “others” are, the article—link below—does not specify), in an effort to let them know how to protect themselves from identity theft.
The server was password‑protected, but there is no mention on any type of encryption solutions on that particular machine. Password‑protection guarantees about as much data security as a Japanese rice‑paper door: i.e., not much data protection at all. According to another article, the information included telephone numbers, addresses, next‑of‑kin, dates of birth, Social Security numbers, and medical diagnoses.
Why was the server belatedly found to be missing? According to the articles, because the backup server wasn’t in use at the time of the incident. Also, the articles noted that the burglaries happened at two buildings—perhaps most of the stolen goods were in one building, and the server happened to be in the other?
Regardless, this incident brings up two points about data security. First, if you have sensitive information and it’s going into storage, no matter how temporary, you must find a way to guarantee its safety. Paper documents go into a locked file cabinet, which goes behind a locked door. Could there be more security attached to paper-based documents? Sure. You could post a guard—but having a guard expressly to guard documents is anathema to costs‑conscious managers. They’d have to have at least three guards working around the clock, or perhaps pay substantial overtime.
The second point is that data security requires constant auditing. In other words, if you’re not aware that information is missing, you don’t know you have a data security breach. Even if one has subscribed to a computer tracking service, one would still not know that there has been a breach: tracking begins when one calls in to have a stolen computer tracked…you know, after he finds the computer missing.
Hard disk encryption, while no security panacea (you won’t find one out there, I guarantee you) at least alleviates the problems associated with the above two points. To begin with, a security solution like full disk encryption works around the clock, since it’s incorporated into the machine. It’s more like Santa Claus than a security guard. It’s there when you’re sleeping. It’s there when you’re awake. It’s there when the computer’s stolen, so use it for goodness’ sake!
As for the second point, full disk encryption can’t do much for you—if you’re looking to be alerted when a computer gets stolen. However, any worries about what happened to the data between the time it got stolen; one noticed it got stolen; and one recovered the stolen computer (if it gets recovered) need not be a worry at all. You know the data was kept safe, and a information security breach was averted.
Now, this is not something that is exactly news. It’s always been known that, for example, if you have to encrypt the contents of your laptop, a laptop encryption solution like full disk encryption is a better alternative to something like file encryption. The researchers (article link down below) have only confirmed something that is (slightly) common knowledge.
As the researchers at the University of Washington and British Telecommunications have pointed out, when one is working with encrypted data, certain applications will save temporary files of that data in unencrypted format, generally in some random directory if my experience means anything. These temporary files generally exist as a countermeasure to people’s forgetfulness: one is supposed to save their work every five minutes, something that I still do to this day (in fact, when working with a text document, I tend to hit control‑save after every other sentence or so. It doesn’t take long, and it’s a natural move for my fingers while I scan for spelling mistakes on what I just typed).
Of course, almost no one ever saves their data every five minutes. I remember a classmate of mine who hadn’t saved five hours’ worth of CAD drawings for a final project…and the computer she was working on crashed two hours before the deadline. Due to instances like these, software developers thought of a way for the software application to save the users from themselves. The answer? Have the application itself save whatever you’re working on at certain intervals, like every 10 minutes; however, also keep them out of sight so that users are not freaked out by these renegade files that appear out of nowhere.
So, the files are saved to some temporary directory that gets purged every so often. However, until purged, the files will exist with the exact data you were working on at the time it got saved. This data is not encrypted because…well, who goes around looking for these files to encrypt them one by one? Depending on how long you’ve kept the original file open, you may have anywhere from five to twenty temporary files—perhaps even more (I speak from personal experience). And that’s for one original document. If you’ve been working on several different files throughout the day….
These temporary files are the reason why security professionals will often recommend hard drive encryption over file encryption, if only one of them is to be used. But because file and hard drive encryption are not mutually exclusive security measures, many people would recommend both. Encrypting the entire disk means not having to worry about scenarios involving temporary files; file encryption means not having to worry about security breaches if you send an e-mail to the wrong address.
The Missouri National Guard has issued a press release, announcing that there was a data breach that could affect 2000 servicemen (and, of course, women). There is no word yet whether some form of data protection, like AlertBoot encryption software, was used. The military is being extremely tight‑lipped since there is an investigation underway, according to pogowasright.org.
While the MO National Guard already has a robust information security program, they’re taking this opportunity to see where the weaknesses lie. Despite the lack of details, it seems that some type of hardware containing the information was lost. This implies that it was the loss of either a computer—a laptop or a desktop—or some type of storage device—either an external hard drive or even a small flash drive. The information that may be compromised includes names, SSNs, and military unit assignments.
It is my understanding that the military had decided to encrypt any data at rest in computers earlier this year. The US military, not being a small organization, probably will need until the end of this year, at least, to ensure that all computers are encrypted.
Where am I getting this “one year?” I’m guessing. Per my experience, nothing that is “administrative” in nature takes more than one year to complete in the military, unless the project is gargantuan—in that case, it might be extended to two years. (No such thing as 1.5 years.) Now, the military’s goal of encrypting all computers is gargantuan; however, it’s also urgent. That means that they’re probably planning for this to finish sooner than later, meaning the deadline gets cut from two years to one year—or, in this case, the end of this year.
Of course, once a decision has been made, one has to go through the process of actually installing laptop encryption and/or other data security measures. Now, this process can’t be massively parallel—that is, one can’t encrypt all the machines at the exact same time. It can be done in batches but, the last time I’ve heard, the maximum number of computers in a batch tops out at 2000 computers for any technology out there. When you consider how many computers the military must have—plus external data devices like hard drives—encryption is something of a logistics nightmare, and can only take time.
Thus, it’s not surprising that instances like the above occur from time to time. The other day I wrote about a Hong Kong hospital that became victim to a data breach while they were in the process of encrypting sensitive data, for example. It’s the risk taken when data security becomes an afterthought—things become much more complex, and leave you vulnerable to additional risks.
Santa Ana claimed that history repeats itself. It seems that this statement can be modified to read, “Data breaches repeat themselves.” Now, if you or your company decides to use encryption software like AlertBoot, it could be modified to read, “theft happens. Thank god we don’t have a data breach.”
Yeah. I’m no Santa Ana when it comes to memorable quotes.
Moving on. The reason why I bring this up is because file encryption could have helped Bristol‑Myers Squibb (BMY) in their recent data‑related plight. According to the Dow Jones, a backup tape containing sensitive information of BMY’s employees was stolen. The information that may be compromised is…quite a lot, actually: names, addresses, dates of birth, Social Security numbers, marital information (pardon my ignorance, but how is this critical information? No adultery jokes, please), and, in some cases, bank-account information.
Of course, this is similar in nature to what the other big pharmaceutical company, Pfizer, experienced earlier this year. If only BMY had taken notice of what had happened then, they may not have this problem now.
Bristol-Myers hasn’t specified how many people were affected by this data breach, but as the Dow Jones points out, there were approximately 42,000 employees at the company as of the last financial filing. If the breach at Pfizer is any indication—and it not be, but history does repeat itself—my guess would be that pretty much all of them would be affected by this breach.
How could have this been averted? Well, file encryption—known in some circles as content encryption—would have helped. Chances are full disk encryption would not have been of much use due to technical reasons that I won’t go into; however, encrypting the backup files would have definitely worked.
The problem is, of course, execution and even the process itself. I can almost see people’s eyebrows going up in puzzlement (the process? That doesn’t bode well). Encryption is not hard—you just click a couple of buttons, as it’s customary with today’s software. The problem reveals itself in the fact that people actually have to click those buttons. Even something like full disk encryption—where you set it up and forget it about it—requires that someone initiate the process.
Now, knowing that people back up data because that data is worth backing up, it’s strange that people fail to encrypt information on backup tapes. I mean, isn’t the purpose of encryption to protect data that is worth keeping around? (And, in some cases, for data you don’t want to keep around but still need to keep confidential—hence the sale of shredders among other security products, for example.)